Skip to content

fix(security): proxy Chainalysis API key through server-side route#547

Open
danieloche635-bit wants to merge 2 commits into
MettaChain:mainfrom
danieloche635-bit:fix/442-chainalysis-api-key-proxy
Open

fix(security): proxy Chainalysis API key through server-side route#547
danieloche635-bit wants to merge 2 commits into
MettaChain:mainfrom
danieloche635-bit:fix/442-chainalysis-api-key-proxy

Conversation

@danieloche635-bit

@danieloche635-bit danieloche635-bit commented Jun 27, 2026

Copy link
Copy Markdown

Summary (P0)

The Chainalysis API key was exposed via (window as any).CHAINALYSIS_API_KEY\ in the browser bundle, making it trivially extractable via DevTools.

Changes

  • Created /api/security/address-check\ Next.js API route that proxies Chainalysis requests server-side
  • Removed (window as any).CHAINALYSIS_API_KEY\ from \�lockchainSecurity.ts\
  • Browser code now calls the local proxy endpoint instead
  • API key is configured via \CHAINALYSIS_API_KEY\ server-only env variable
  • Added \security:check-globals\ npm script (greps for _GLOBAL_\ patterns in source)
  • Updated default config to not include any API key

Tests

  • Added 2 new tests verifying proxy endpoint URL construction
  • All 30 existing tests pass without modification

Closes #442

@sandrawillow001-afk
fix(security): store salted hash of deviceId instead of plaintext UUID
36a7ff7 
- Replace localStorage plaintext UUID storage with salted hash
- Add per-session salt stored in sessionStorage
- Add synchronous hash function for device identity
- Update tests to verify hashed storage behavior

Closes MettaChain#448
@sandrawillow001-afk
fix(security): proxy Chainalysis API key through server-side route
fbb8722 
- Add /api/security/address-check Next.js API route to proxy Chainalysis requests
- Remove API key exposure from browser via window global (__CHAINALYSIS_API_KEY__)
- Move API key to server-only CHAINALYSIS_API_KEY env variable
- Add security:check-globals npm script to prevent future __ global leaks
- Update tests to verify proxy endpoint usage

Closes MettaChain#442
@drips-wave

drips-wave Bot commented Jun 27, 2026

Copy link
Copy Markdown

@danieloche635-bit Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: Chainalysis API key exposed via window global

2 participants

@danieloche635-bit @sandrawillow001-afk